An toàn bảo mật mạng - Chương 2: Tấn công mạng máy tính

ge đến hệ thống dịch vụ của mục tiêu. Phương pháp này làm gia tăng traffic không cần thiết, làm suy giảm băng thông của mục tiêu. Tấn công mạng máy tính 62 Amplification Attack Tấn công mạng máy tính 63 Resource Deleption Attack Resource Deleption Attack là kiểu tấn công trong đó Attacker gửi những packet dùng các protocol sai chức năng thiết kế, hay gửi những packet với dụng ý làm tắt nghẽn tài nguyên mạng làm cho các tài nguyên này không phục vụ user thông thường khác được. Protocol Exploit Attack. Malformed Packet Attack. Tấn công mạng máy tính 64 Protocol Exploit Attack TCP Client Client Port 1024-65535 TCP Server Service Port 1-1023 SYS ACK SYN/ACK 80 Malicious TCP Client Victim TCP Server SYS packet with a deliberately fraudulent (spoofed) source IP return address SYS/ACK SYN 80 ? Tấn công mạng máy tính 65 Protocol Exploit Attack Tấn công mạng máy tính 66 Malformed Packet Attack Là cách tấn công dùng các Agent để gửi các packet có cấu trúc không đúng chuẩn nhằm làm cho hệ thống của nạn nhân bị treo. Có hai loại Malformed Packet Attack: IP address attack: dùng packet có địa chỉ gửi và nhận giống nhau làm cho hệ điều hành của nạn nhân không xử lý nổi và bị treo. IP packet options attack ngẫu nhiên hóa vùng OPTION trong IP packet và thiết lập tất cả các bit QoS lên 1, điều này làm cho hệ thống của nạn nhân phải tốn thời gian phân tích, nếu sử dụng số lượng lớn Agent có thể làm hệ thống nạn nhân hết khả năng xử lý. Tấn công mạng máy tính 67 Một số đặc tính của công cụ DDoS DDoS software Tool Agent Setup Attack Network Comminication OS supported Instalation Hide with rootkit Active Passive Yes No Backdoor Bugged website Corrupted File Protocol Encruption Agent Activation Methods Unix Solaris Linux Actively Poll Live&wait TCP UDP ICMP Trojan Buffer Overflow Windows Agent Handlerl IRC Basedl Client Handlerl Agent Handlerl None YES Private/Serect No Public Tấn công mạng máy tính 68 4. Tấn công sử dụng mã độc Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses Others can exist and propagate independently Worms, automated viruses Many infection vectors and propagation methods Modern malware often combines trojan, rootkit, and worm functionality Tấn công mạng máy tính 69 Trojans A Trojan horse is malicious code hidden in an apparently useful host program When the host program is executed, trojan does something harmful or unwanted User must be tricked into executing the host program In 1995, a program distributed as PKZ300B.EXE looked like a new version of PKZIP when executed, it formatted your hard drive Old-style trojans did not replicate, but today many are spread by virus- and worm-like mechanisms Tấn công mạng máy tính 70 Example of a Trojan Discover a helpdesk application on a Web server Via misconfigured FrontPage, which allows arbitrary uploads and downloads from webroot directory Modify its input validation routine Change the list of invalid characters to contain only spaces and ~ Use SQL injection to log in with admin privileges Hijack a dormant VPN account and log into the internal network via VPN Tấn công mạng máy tính 71 More Trojans 1987: Login program on NASA computers hacked by Chaos Computer Club, steals passwords 1999: Hacked login program at U. of Michigan steals 1534 passwords within 23 hours 2003: AOL employees tricked into accepting trojans via AIM, hackers get complete remote control over their machines via IRC Also social engineering to steal passwords 2003: Badtrans worm installs a keystroke-logging trojan, sends log to one of 22 email accounts Tấn công mạng máy tính 72 Viruses Virus propagates by infecting other programs Automatically creates copies of itself, but to propagate, a human has to run an infected program Self-propagating malware usually called worm Many propagation methods Insert a copy into every executable (.COM, .EXE) Insert a copy into boot sectors of disks PC era: “Stoned” virus infected PCs booted from infected floppies, stayed in memory, infected every inserted floppy Infect TSR (terminate-and-stay-resident) routines By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc. Tấn công mạng máy tính 73 First Virus: Creeper Written in 1971 at BBN Infected DEC PDP-10 machines running TENEX OS Jumped from machine to machine over ARPANET Copied its state over, tried to delete old copy Payload: displayed a message “I’m the creeper, catch me if you can!” Later, Reaper was written to hunt down Creeper Tấn công mạng máy tính 74 Virus Techniques Macro viruses A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel) When an infected document is opened, virus copies itself into global macro file and makes itself auto-executing (invoked whenever any document is opened) Stealth techniques Rootkit: infect OS so that infected files appear normal Code mutation and obfuscation Tấn công mạng máy tính 75 Polymorphic Viruses Encrypted viruses: constant decryptor followed by the encrypted virus body Polymorphic viruses: constantly create new random encryptions of the same virus body Virus includes an engine for creating new keys and new encryptions of the virus body Decryptor code constant and can be detected Historical note: “Crypto” virus decrypted its body by brute-force key search to avoid explicit decryptor code Tấn công mạng máy tính 76 Metamorphic Viruses Obvious next step: mutate the virus body, too! Apparition: early Win32 metamorphic virus Carries its source code (contains useless junk) Looks for compiler on infected machine Changes junk in its source and recompiles itself New binary copy looks different! Mutation is common in macro and script viruses Macros/scripts are usually interpreted, not compiled Tấn công mạng máy tính 77 Virus Detection Simple anti-virus scanners Look for signatures (fragments of known virus code) Heuristics for recognizing code associated with viruses Example: polymorphic viruses often use decryption loops Integrity checking to find modified files Record file sizes, checksums, keyed HMACs of contents Generic decryption and emulation Emulate CPU execution for a few hundred instructions, recognize known body after virus decrypts Does not work very well against metamorphic viruses and viruses not located near beginning of infected executable What if decryptor starts with millions of NOPs? Tấn công mạng máy tính 78 Rootkits Rootkit is a set of trojan system binaries Main characteristic: stealthiness Hides infection from the host’s owner Often includes a sniffer (to record users’ passwords) Originally on Unix Typical infection path Use stolen password or dictionary attack to log in Use a buffer overflow in a vulnerable local program to gain root privileges rdist, sendmail, loadmodule, rpc.ypupdated, lpr, passwd Download rootkit, unpack, compile, install Tấn công mạng máy tính 79 Hiding Rookit’s Presence on Unix Create a hidden directory /dev/.lib, /usr/src/.poop and similar Often use invisible characters in directory name (why?) Install hacked binaries for system programs such as netstat, ps, ls, du, login Modified binaries have same checksum as originals What should be used instead of checksum? Tấn công mạng máy tính 80 Function Hooking Idea: replace the pointer to a legitimate function with the address of malicious code Pointer hooking Modify the pointer in OS’s Global Offset Table, where function addresses are stored “Detour” or “inline” hooking Insert a jump in first few bytes of a legitimate function This requires subverting memory protection! Detectable by a clever rootkit detector Hard to hide user-land rootkit from kernel-level detector Tấn công mạng máy tính 81 Kernel Rootkits Get loaded into kernel as an external module For example, via compromised device driver or a badly implemented “digital rights” module (e.g., Sony XCP) Replace addresses in system call table, interrupt descriptor table, etc. If kernel modules disabled, directly patch kernel memory through /dev/kmem (SucKIT rootkit) Inject malicious code into a running process via PTRACE_ATTACH and PTRACE_DETACH Security software is often the first injection target! Tấn công mạng máy tính 82 Mebroot (Windows) Replaces the host’s Master Boot Record (MBR) First physical sector of the hard drive Launches before Windows loads No registry changes, very little hooking Stores data in physical sectors, not files Invisible through the normal OS interface Uses its own version of network driver API to send and receive packets Invisible to “personal firewall” in Windows Used in the Torpig botnet Tấn công mạng máy tính 83 Detecting Rootkit’s Presence Sad way to find out Run out of physical disk space because of sniffer logs Logs are invisible because du and ls have been hacked! Manual confirmation Reinstall clean ps and see what processes are running Automatic detection Rootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfig Host-based intrusion detection can find rootkit files assuming an updated version of rootkit did not disable the intrusion detection system! Tấn công mạng máy tính 84 Câu hỏi ? Ý kiến ? Đề xuất ?